Red Hat Updates Trusted Software Supply Chain to Bolster Security

Highlights:

• Red Hat Trusted Profile Analyzer, the second new edition, offers a common repository for security documentation, including Vulnerability Exploitability Exchange and Software Bill of Materials.
• The CI/CD pipeline’s vulnerability scanning and policy checking capabilities, which prevent suspect build activity from being promoted into production, are also available to users for corporate contracts.

Red Hat updates Trusted Software Supply Chain, which helps businesses shift security “left” in the software supply chain to detect susceptibilities earlier.

In May 2023, Red Hat Inc. unveiled Trusted Software Supply Chain, promoting it as a solution to the growing threat of software supply chain intrusions. The service safeguards software pipelines by confirming software sources, automating security procedures, and offering a secure catalog of approved open-source software packages.

In addition to adhering to industry norms and compliance standards, the recent enhancements are intended to further clients’ capacity to embed security into the software development life cycle, boosting software integrity earlier in the supply chain.

They begin by using Red Hat Trust Artifact Signer, a brand-new tool. To increase trust in the software supply chain, developers can sign and verify software artifacts cryptographically without managing centralized keys using Trust Artifact Signer, based on the open-source Sigstore project.

Red Hat Trusted Profile Analyzer, the second new edition, offers a common repository for security documentation, including Vulnerability Exploitability Exchange and Software Bill of Materials. The technology streamlines vulnerability management by enabling proactive security threat identification and mitigation.

Red Hat’s internal development platform is combined with the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer in the final new release, Red Hat Trusted Application Pipeline, to offer integrated development templates with a security focus. This functionality aims to help enterprises adopt secure development techniques quickly and uniformly.

With an automated chain of trust that authenticates artifact signatures and provides provenance and attestations, organizations can utilize the new capabilities to confirm pipeline compliance and provide traceability and auditability in the continuous integration and deployment, or CI/CD, process. The CI/CD pipeline’s vulnerability scanning and policy checking capabilities, which prevent suspect build activity from being promoted into production, are also available to users for corporate contracts.

General Manager and Vice President of the Application Developer Business Unit at Red Hat, Sarwar Raza, said, “Organizations are seeking to mitigate the risks of constantly evolving security threats in their software development — to keep and grow trust with users, customers, and partners. Red Hat Trusted Software Supply Chain is designed to seamlessly bring security capabilities into every phase of the software development life cycle. From code time to runtime, these tools help increase transparency and trust and give DevSecOps teams the ability to lay the groundwork for a more secure enterprise without impacting developer velocity or cognitive load.”

As of now, the Trusted Application Pipeline and Trusted Artifact Signer are widely accessible. The tech preview version of Trusted Profile Analyzer is currently accessible, and a general release is anticipated by the end of June.